Understanding Criticality and CVSS in the Context of Vulnerability Management
The ability to prioritize is an essential part of vulnerability management. Discovering vulnerabilities and ending up with a lengthy to-do list of problems simply isn’t enough. Context and insight into each vulnerability or issue’s severity and potential business impact is critical, so you can make a decision on how to respond. Does it need to be fixed immediately? Can it be deprioritized? In some cases, you can even decide it’s not severe, and you are comfortable accepting the risk it poses.
Industry standard to rate the criticality of vulnerabilities is the Common Vulnerability Scoring System (CVSS), which is maintained by The Forum of Incident Response and Security Teams (FIRST). This system provides a score from 0.0 (no issue at all) to 10.0 (most critical).
If you are interested in learning more about CVSS Score and how the Onapsis Platform leverages this score to assess and prioritize vulnerabilities within SAP and Oracle applications for customers, read this blog.
What is Vulnerability Management?
We’ve addressed that not all vulnerabilities are equal and new ones are constantly being discovered, so having a solution and process to stay on top of them is critical as part of a larger security strategy. Vulnerability management is the continuous process of identifying, classifying, prioritizing, remediating, and mitigating software vulnerabilities.
No matter the industry or size of your organization, every business can benefit from a vulnerability management solution. An effective vulnerability management program regularly checks for vulnerabilities, provides information around criticality and business impact, and supports remediation of vulnerabilities by aligning security, IT, and DevOps teams.
Why is Vulnerability Management Important?
At the center of every enterprise organization are certain critical applications for core functions such as finance, manufacturing, human resources, sales, and supply chain management. Whether they exist on premises, in the cloud, or as a mix of both, an attack against any of them has the potential for a devastating impact across the entire organization. To protect these SAP and Oracle applications, enterprise organizations commonly employ a “defense-in-depth” security model (i.e., applying layers of technology to protect critical systems), but, unfortunately, not enough consideration is given to the last layer of security for the critical application itself, especially since these systems are frequently managed by information technology professionals focused more on development and continuity rather than security.
An attack against a business application could weaponize the rights and privileges of an administrator. If an administrator role is hijacked, the attacker could bypass all controls of the application, as well as its business data and processes. Successfully exploiting a vulnerable system allows an attacker to execute a wide range of malicious activities—from impacting supply chains and manufacturing processes to redirecting financial payments to compromising highly sensitive data, most of which is subject to compliance regulations. The need to have a solution in place that is tailored to protect your SAP and Oracle systems is more urgent than ever before.